Unresolved vulnerabilities also create code execution risk, warns Bitdefender
UPDATED Security vulnerabilities in baby monitors from Nooie could allow attackers to either access the camera feed or execute malicious code on vulnerable devices.
Researchers from infosec firm Bitdefender achieved remote code execution (RCE) capabilities on two models from the range of Nooie’s Baby Cam infant monitoring devices. Other devices from the same range may also be vulnerable but this has not been demonstrated.
The Nooie Cam software has 50,000-100,000 installs on the Google Play Store – an indication that the technology is fairly widely used.
The team from Bitdefender has uncovered four separate vulnerabilities.
First up was a stack-based buffer overflow or memory corruption vulnerability that could lead to remote code execution. The vulnerability – tracked as CVE-2020-15744 – is categorised as critical and relates to flaws in IoT software from Victure, the focus of previous research by Bitdefender.
Another flaw enables attackers to access the RTSPS (audio-video) feed of an arbitrary cameras.
Nooie‘s baby cameras rely on the MQTT protocol to announce the status of IoT devices and receive a URL location linked to RTSPS audio/video streams for each individual IoT device.
Bitdefender’s team discovered that the MQTT server managing feeds fails to require authentication, allowing a potential attacker to subscribe to a feed and get IDs for any device as it comes online.
Nooie’s baby cameras use Amazon Web Services (AWS) to store recordings on the cloud. Each device has its own unique credentials, but this information is readily obtained by potential attackers, Bitdefender discovered.
“An attacker can easily spoof the camera and forge a request on its behalf and gain illicit access to the credentials,” according to Bitdefender.
“The only prerequisites are the IDs leaked on the MQTT server (uuid and uid). After gaining access to the credentials, they can access the camera’s stored recordings.”
Bitdefender privately disclosed these various vulnerabilities in November 2020 before following up with proof of concept code and requests for an update on progress in developing patches.
After failing to hear anything substantive from the vendor, Bitdefender went public this month with details of the vulnerabilities and suggested mitigations, as explained in a technical blog post.
Och Aye the Nooie
The Daily Swig invited Nooie to comment on Birtdefender’s research or provide guidance to customers of affected baby cameras. We’re yet to hear back.
Bitdefender told The Daily Swig that the vulnerabilities could enable a range of potential attacks against consumers.
Dan Berte, director of IoT security at Bitdefender, said: “Hijacking the video feed is always of big emotional impact for the consumer from a privacy perspective, but RCE could also lead to denial of service, cryptomining, ransomware, or data exfiltration – equally concerning, if not more.”
Bitdefender came across the vulnerabilities as part of its wider research which is geared towards helping “vendors and customers stay on top of security and privacy blind spots and make the IoT ecosystem safer for everybody”.
Asked to comment on the comparative security of Nooie baby cams, Bitdefender offered a general statement explaining that the security of IoT devices was highly variable.
“Some manufacturers invest more in securing their products by employing best practices such as secure coding, dedicated engineering resources for self-assessment, bug bounty or disclosure programs, frequent updates, and other measures,” according to Bitdefender’s Berte.
“Others may either lack the technical know-how, available resources, or even interest in focusing on security.”
Berte concluded: “The lack of industry regulation around device security, the myriad of vendors globally, and the millions of IoT devices already connected make this space challenging from a cybersecurity standpoint.”
This story was updated to add that one of the flaws in Nooie's technology relates the security shortcomings in IoT software from Victure, the focus of previous Bitdefender security research.